Make HSTS behaviour configurable; Fixes #584

This commit is contained in:
Literallie 2017-10-13 01:09:04 +02:00
parent 53c2d0b5ca
commit 56411ca0e1
No known key found for this signature in database
GPG key ID: 7BE463C902ED152C
4 changed files with 26 additions and 5 deletions

View file

@ -166,6 +166,7 @@ Application settings `config.json`
| port | `80` | web app port | | port | `80` | web app port |
| alloworigin | `['localhost']` | domain name whitelist | | alloworigin | `['localhost']` | domain name whitelist |
| usessl | `true` or `false` | set to use ssl server (if true will auto turn on `protocolusessl`) | | usessl | `true` or `false` | set to use ssl server (if true will auto turn on `protocolusessl`) |
| hsts | `{"enable": "true", "maxAgeSeconds": "31536000", "includeSubdomains": "true", "preload": "true"}` | [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) options to use with HTTPS (default is the example value, max age is a year) |
| protocolusessl | `true` or `false` | set to use ssl protocol for resources path (only applied when domain is set) | | protocolusessl | `true` or `false` | set to use ssl protocol for resources path (only applied when domain is set) |
| urladdport | `true` or `false` | set to add port on callback url (port 80 or 443 won't applied) (only applied when domain is set) | | urladdport | `true` or `false` | set to add port on callback url (port 80 or 443 won't applied) (only applied when domain is set) |
| usecdn | `true` or `false` | set to use CDN resources or not (default is `true`) | | usecdn | `true` or `false` | set to use CDN resources or not (default is `true`) |

11
app.js
View file

@ -97,11 +97,16 @@ var sessionStore = new SequelizeStore({
app.use(compression()) app.use(compression())
// use hsts to tell https users stick to this // use hsts to tell https users stick to this
if (config.hsts.enable) {
app.use(helmet.hsts({ app.use(helmet.hsts({
maxAge: 31536000 * 1000, // 365 days maxAge: config.hsts.maxAgeSeconds * 1000,
includeSubdomains: true, includeSubdomains: config.hsts.includeSubdomains,
preload: true preload: config.hsts.preload
})) }))
} else if (config.usessl) {
logger.info('Consider enabling HSTS for extra security:')
logger.info('https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security')
}
i18n.configure({ i18n.configure({
locales: ['en', 'zh', 'fr', 'de', 'ja', 'es', 'ca', 'el', 'pt', 'it', 'tr', 'ru', 'nl', 'hr', 'pl', 'uk', 'hi', 'sv', 'eo', 'da'], locales: ['en', 'zh', 'fr', 'de', 'ja', 'es', 'ca', 'el', 'pt', 'it', 'tr', 'ru', 'nl', 'hr', 'pl', 'uk', 'hi', 'sv', 'eo', 'da'],

View file

@ -6,6 +6,9 @@
} }
}, },
"development": { "development": {
"hsts": {
"enable": false
},
"db": { "db": {
"dialect": "sqlite", "dialect": "sqlite",
"storage": "./db.hackmd.sqlite" "storage": "./db.hackmd.sqlite"
@ -13,6 +16,12 @@
}, },
"production": { "production": {
"domain": "localhost", "domain": "localhost",
"hsts": {
"enable": "true",
"maxAgeSeconds": "31536000",
"includeSubdomains": "true",
"preload": "true"
},
"db": { "db": {
"username": "", "username": "",
"password": "", "password": "",

View file

@ -7,6 +7,12 @@ module.exports = {
urladdport: false, urladdport: false,
alloworigin: ['localhost'], alloworigin: ['localhost'],
usessl: false, usessl: false,
hsts: {
enable: true,
maxAgeSeconds: 31536000,
includeSubdomains: true,
preload: true
},
protocolusessl: false, protocolusessl: false,
usecdn: true, usecdn: true,
allowanonymous: true, allowanonymous: true,